1 YEAR UPGRADE
BUYER PROTECTION PLAN
Check Point
NG
• Bonus Coverage of CCSA NG Exam 156-210
Objectives
• Additional CCSA Self-Assessment
Questions Available for Free Download
• Free Spoofing Chapter by Dan “Effugas”
Kaminsky,World-Renowned
Cryptography Expert
Drew Simonis
CISSP, CCSE
Corey S. Pincock
CISSP, CCSA
Daniel Kligerman
CCSE
Doug Maxwell
CCSI
Cherie Amon
CCSI,
Technical Editor
Allen Keele
CCSI,
Technical Reviewer
Next
Generation
Security
Administration
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page i
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page ii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Check Point
Drew Simonis
CISSP, CCSE
Corey S. Pincock
CISSP, CCSA
Daniel Kligerman
CCSE
Doug Maxwell
CCSI
Cherie Amon
CCSI,
Technical Editor
Allen Keele
CCSI,
Technical Reviewer
Next
Generation
Security
Administration
NG
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY SERIAL NUMBER
001 L9F8TM93QD
002 AFG5Y4MPE4
003 VMER634RTN
004 SGD34BAS6Y
005 8Q5TYU6NVH
006 NFG477JEM4
007 BK7VFTR46T
008 2PMK9965MR
009 83N5C6YDAS
010 GT6YDR46FC
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Check Point Next Generation Security Administration
Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-74-1
Technical Editor: Cherie Amon Cover Designer: Michael Kavish
Technical Reviewer: Allen Keele Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Jonathan E. Babcock Copy Editor: Janet Zunkel
Indexer: Nara Wood
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg
O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia
Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers
Group West for sharing their incredible marketing experience and expertise.
Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain
that our vision remains worldwide in scope.
Annabel Dent and Paul Barry of Harcourt Australia for all their help.
David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan,
and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive
our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page v
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page vi
vii
Contributors
Drew Simonis (CISSP, CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS)
is a Senior Security Engineer with the RL Phillips Group, LLC, where he
provides senior level security consulting to the United States Navy,
working on large enterprise networks. Drew is a security generalist, with
a strong background in system administration, Internet application devel-
opment, intrusion detection and prevention, and penetration testing. He is
a co-author of Hack Proofing Your Web Applications (Syngress Publishing,
ISBN: 1-928994-31-8) and Hack Proofing Sun Solaris 8 (Syngress, ISBN:
1-928994-44-X). Drew’s background includes various consulting posi-
tions with Fiderus, serving as a Security Architect with AT&T and as a
Technical Team Lead with IBM. Drew has a bachelor’s degree from the
University of South Florida and is also a member of American MENSA.
He lives in Suffolk,Virginia with his wife, Kym and daughters, Cailyn and
Delany. He would like to pay special thanks to Travis Corson and Ron
Ostrenga for helping him break into the industry.
Daniel Kligerman (CCSA, CCSE, Extreme Networks GSE, LE) is a
Consulting Analyst with TELUS. As a member of TELUS Enterprise
Solutions Inc., he specializes in routing, switching, load balancing, and
network security in an Internet hosting environment. A University of
Toronto graduate, Daniel holds an honors bachelor of science degree in
computer science, statistics, and English. Daniel currently resides in
Toronto, Canada, and would like to thank Robert, Anne, Lorne, and
Merita for their support.
Corey S. Pincock (CISSP, MCSE, GSEC, MCDBA, CCSA, CCNA) is
the Senior Information Security Architect for CastleGarde in Tampa,
Florida. As an expert in the information security aspects of Graham-
Leach-Bliley and HIPAA, Corey consults with financial and healthcare
organizations on a national level to implement information security pro-
grams that include policy development, risk assessments, security infra-
structure design, implementation, training, and monitoring. Other
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page vii
viii
specialties include firewall assessments and audits,Windows 2000, and
cryptography. Corey’s background includes positions as a Network
Administrator for CommerceQuest, Systems Engineer for MicroAge, and
Senior Instructor for Certified Tech Trainers. Corey holds a bachelor’s
degree from the University of Washington and is a member of ISSA.
Corey lives in Tampa, Florida with his wife and two daughters. He would
like to thank his wife, Shelly for encouraging him to be his best, and
Allen Keele of Certified Tech Trainers.
Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco
Systems designing security infrastructure for large-scale network moni-
toring systems. Dan has delivered presentations at several major industry
conferences including Linuxworld, DEF CON, and the Black Hat
Briefings, and he also contributes actively to OpenSSH, one of the more
significant cryptographic systems in use today. Dan founded the cross-
disciplinary DoxPara Research (www.doxpara.com) in 1997, seeking to
integrate psychological and technological theory to create more effective
systems for non-ideal but very real environments in the field. He is based
in Silicon Valley, presently studying Operation and Management of
Information Systems at Santa Clara University in California. Dan is also
a co-author of the best-selling Hack Proofing Your Network (Syngress
Publishing, ISBN: 1-928994-70-9).
Jeff Vince (CCSA, CCSE) is a security consultant in Waterloo, Ontario
where he specializes in secure network architecture and firewall configu-
ration for medium- to large-scale network installations. His specialties
focus on security products ranging from anti-virus software to intrusion
detection and enterprise security management software running on the
Microsoft Windows and Linux platforms. In addition to normal client
consulting work, Jeff has—as part of a team of security professionals—
performed successful attack and penetration tests on networks owned by
companies ranging from major financial institutions and broadband ser-
vice providers to smaller software development companies.Working as
both an outsider trying to break in and as a security manager responsible
for securing corporate assets has given Jeff a unique perspective on net-
work security. Applying this dual vision of security has allowed him to
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page viii
ix
help clients build network infrastructure that provides the high availability
and security required in today’s Internet environment.
Doug Maxwell (CCSI) is a Senior Network Engineer with Activis, Ltd.
in East Hartford, Connecticut. He currently works as a third-tier engineer
in the technical support division, and is a certified Check Point instructor.
His specialties include Unix network security and firewall network inte-
gration. Doug holds a bachelor of science degree in computer science
from the University of Massachusetts at Amherst, and is a member of the
Association for Computing Machinery (ACM), USENIX, and SAGE, the
System Administrator’s Guild. He happily resides in Ellington,
Connecticut with his wife and 1-year-old son.
Simon Desmeules (CCSE, ISS, MCSE+I, CNA) is an independent
security perimeter specialist. He currently provides architectural design,
technical consulting, and tactical emergency support for perimeter secu-
rity technologies for several Fortune 1000 companies in Canada and the
United States. Simon’s background includes positions as a Firewall /
Intrusion Security Specialist for a pioneer of Canadian Security, Maxon
Services, and their Managed Security clients. He is an active member of
the FW-1, ISS & Snort mailing lists where he discovers new problems and
consults with fellow security specialists.
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page ix
x
Technical Editor
Cherie Amon (CCSA, CCSE, CCSI) is a Senior Network Security
Engineer and Security Instructor for Integralis. She is a Check Point
Certified Security Instructor and has been installing, configuring, and
supporting Check Point products since 1997. Cherie teaches the Check
Point courses at the Integralis Authorized Training Center (ATC) in East
Hartford, Connecticut, which is the only Check Point ATC in the state.
Prior to working at Integralis, she held a position at IBM supporting the
IBM Global Dialer, which is now the ATT Global Dialer. Cherie lives in
Tampa, Florida and attended college at the University of South Florida in
Tampa, where she is now pursuing a math degree. She would like to
thank her husband, Kyle Amon, and father, Jerry Earnest, for leading her
in the direction of computers and technology.
Allen Keele is an author and lecturer and holds over 20 technical accred-
itations including CISSP, SCNP, CCSE+, CCSI, CCNP, CCDA, NSA,
NVGA, MCSE, CCEA, CCI, and PSE. Allen holds a business degree in
risk management from the University of Georgia, and has provided
advanced technical and security training throughout the United States
and Western Europe since 1998. He currently leads Certified Tech
Trainers, Inc. to provide comprehensive InfoSec training throughout the
United States and Europe for Check Point (CCSE/CCSE/CCSE+) and
Security Certified Program (SCNP/SCNA) accreditation.
Technical Reviewer
192_ChkPt_FM.qxd 2/22/02 2:37 PM Page x
Contents
xi
Foreword xxv
Chapter 1 Introduction to Check Point
Next Generation 1
Introduction 2
Introducing the Check Point Next Generation
Suite of Products 2
VPN-1/FireWall-1 4
Account Management (LDAP) 7
SecuRemote/Secure Client 8
Reporting Module 9
Check Point High Availability (CPHA) 11
UserAuthority 12
FloodGate-1 12
Meta IP 14
Understanding VPN-1/FireWall-1
SVN Components 15
VPN-1/FireWall-1 Management Module 16
Central Management of VPN-1/FireWall-1
Modules 16
SecureUpdate 20
SecureXL 21
Graphical User Interface 22
Security Dashboard 22
Policy Server 26
Desktop Security 27
Looking at Firewall Technology 27
Proxy Server vs. Packet Filter 28
Performance and Scalability 29
The Management Server
and firewall enforcement
modules can be installed
on any of the following:
■
Windows 2000 with or
without Service Pack 1
■
Windows NT 4.0 with
Service Pack 4 or
greater
■
Sun Solaris 8
■
Sun Solaris 7
■
RedHat Linux 6.2, 7.0
and 7.2
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xi
xii Contents
FireWall-1’s Inspection Engine 30
Performance and Scalability 32
Summary 34
Solutions Fast Track 36
Frequently Asked Questions 39
Chapter 2 Installing and Configuring
VPN-1/FireWall-1 Next Generation 41
Introduction 42
Before You Begin 42
Obtaining Licenses 44
Securing the Host 45
Disabling Services 46
Routing and Network Interfaces 49
Enabling IP Forwarding 50
Configuring DNS 51
Preparing for VPN-1/FireWall-1 NG 52
Administrators 57
GUI Clients 58
Upgrading from a Previous Version 59
Installing Check Point VPN-1/FireWall-1 NG
on Windows 60
Installing from CD 60
Configuring Check Point
VPN-1/FireWall-1 NG on Windows 72
Licenses 73
Administrators 76
GUI Clients 78
Certificate Authority Initialization 81
Installation Complete 83
Getting Back to Configuration 85
Uninstalling Check Point
VPN-1/FireWall-1 NG on Windows 88
Uninstalling VPN-1 & FireWall-1 88
Uninstalling SVN Foundation 91
Uninstalling Management Clients 93
Installing Check Point
VPN-1/FireWall-1 NG on Solaris 94
Configuring &
Implementing…
Fetching Licenses
If you have saved your
license(s) to a file with a
.lic extension (e.g.
licenses.lic), then you could
alternatively use the “Fetch
from File…” button that
would enable you to
browse your file system for
the file. Once you’ve
located the *.lic file, select
Open, and the license
details will be imported
into the Licenses
configuration window.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xii
Contents xiii
Installing from CD 95
Configuring Check Point
VPN-1/FireWall-1 NG on Solaris 103
Licenses 103
Administrators 105
GUI Clients 107
SNMP Extension 109
Group Permission 110
Certificate Authority Initialization 111
Installation Complete 112
Getting Back to Configuration 116
Uninstalling VPN-1 & FireWall-1 118
Uninstalling SVN Foundation 122
Uninstalling Management Clients 125
Installing Check Point
VPN-1/FireWall-1 NG on Nokia 126
Installing the VPN-1/FireWall-1
NG Package 127
Upgrading IPSO Images 128
Installing VPN-1/FireWall-1 NG 129
Configuring VPN-1/FireWall-1 NG
on Nokia 132
Summary 135
Solutions Fast Track 136
Frequently Asked Questions 139
Chapter 3 Using the Graphical Interface 141
Introduction 142
Managing Objects 142
Network Objects 144
Workstation 145
Network 148
Domain 149
OSE Device 150
Embedded Device 152
Group 153
Logical Server 154
View Selection
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xiii
xiv Contents
Address Range 156
Gateway Cluster 156
Dynamic Object 157
Services 159
TCP 159
UDP 160
RPC 161
ICMP 161
Other 163
Group 164
DCE-RPC 164
Resources 165
URI 165
URI for QoS 165
SMTP 165
FTP 165
OPSEC Applications 166
Servers 166
Radius 166
Radius Group 167
TACACS 167
DEFENDER 167
LDAP Account Unit 168
Certificate Authority 168
SecuRemote DNS 169
Internal Users 169
Time 170
Group 170
Scheduled Event 171
Virtual Link 171
Adding Rules 171
Rules 172
Adding Rules 173
Source 173
Destination 173
Service 173
Action 174
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xiv
Contents xv
Track 174
Install On 175
Time 175
Comment 175
Global Properties 175
FireWall-1 Implied Rules 175
Viewing Implied Rules 177
SYNDefender 177
Security Server 178
Authentication 179
VPN-1 179
Desktop Security 179
Visual Policy Editor 179
Gateway High Availability 179
Management High Availability 179
Stateful Inspection 180
LDAP Account Management 180
Network Address Translation 180
ConnectControl 180
Open Security Extension 180
Log and Alert 180
SecureUpdate 181
Log Viewer 183
Column Selections 185
System Status 186
Summary 187
Solutions Fast Track 187
Frequently Asked Questions 189
Chapter 4 Creating a Security Policy 191
Introduction 192
Reasons for a Security Policy 192
How to Write a Security Policy 193
Security Design 196
Firewall Architecture 197
Writing the policy 197
Introduction 199
Management High
Availability
When performing a
manual synchronization,
you have two modes of
behavior to select from.
■
Synchronize
Configuration Files
Only If this is selected,
only the database and
configuration files will
be synchronized
between Management
Modules.
■
Synchronize Fetch,
Install and Configura-
tion files This mode
also synchronizes the
Fetch and Install files,
allowing the interac-
tion with a standby
management server.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xv
xvi Contents
Guidelines 199
Standards 200
Procedures 200
Deployment 201
Enforcement 201
Modifications or Exceptions 202
Implementing a Security Policy 202
Default and Initial Policies 202
Translating Your Policy into Rules 203
Defining A Firewall Object 205
Define Rule Base 211
Manipulating Rules 215
Cut and Paste Rules 215
Disable Rules 215
Delete Rules 216
Hiding Rules 216
Drag and Drop 217
Querying the Rule Base 217
Policy Options 218
Verify 218
Install 218
Uninstall 219
View 219
Access Lists 219
Install Users Database 219
Management High Availability 220
Installing a Security Policy 220
Policy Files 221
Summary 223
Solutions Fast Track 223
Frequently Asked Questions 226
Chapter 5 Applying Network Address
Translation 229
Introduction 230
Hiding Network Objects 230
Routing and ARP 234
Answers to Your
Frequently asked
Questions
Q:
Should I configure NAT
rules manually, or use
FireWall-1 to generate
them automatically?
A:
No matter how you
configure NAT, the end
result should be the
same. In fact, if you
configure NAT auto-
matically, you should
still check the NAT rule
base to ensure that the
rules ended up as you
expected. So, the
answer to this question
really depends on your
familiarity and comfort
level with NAT and
with FireWall-1 in
general.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xvi
Contents xvii
Configuring Static Address Translation 236
Static Source 236
Static Destination 239
Routing and ARP 241
Automatic NAT Rules 242
Automatic Hide 243
Automatic Static 244
Static NAT in Win2k 245
Routing and ARP 246
NAT Global Properties 247
Summary 249
Solutions Fast Track 249
Frequently Asked Questions 251
Chapter 6 Authenticating Users 255
Introduction 256
FireWall-1 Authentication Schemes 256
S/Key 257
SecurID 258
OS Password 258
VPN-1 & FireWall-1 Password 259
RADIUS 260
AXENT Pathways Defender 261
TACACS 263
Defining Users 264
Creating a Wildcard User 264
Creating and Using Templates 265
Creating Groups of Users 268
User Authentication 269
Client Authentication 275
Client Authentication
versus User Authentication 282
Session Authentication 282
Session Authentication versus
Client and User Authentication 288
LDAP Authentication 289
LDAP Account Unit 291
User Access
To configure user
authentication, create a
new rule in your rule base,
right-click on the Source
section, and choose Add
User Access.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xvii
xviii Contents
LDAP Administration 294
Schema Configuration 294
Managing LDAP Users 295
Summary 301
Solutions Fast Track 302
Frequently Asked Questions 304
Chapter 7 Open Security (OPSEC)
and Content Filtering 307
Introduction 308
OPSEC Applications 308
Content Vectoring Protocol (CVP) 310
Defining Objects 310
Creating a CVP Resource 311
Using the Resource in a Rule 314
CVP Group 316
URI Filtering Protocol (UFP) 318
Defining Objects 318
Creating a URI Resource to Use UFP 320
Using the Resource in a Rule 323
UFP Group 324
Application Monitoring (AMON) 324
Client Side OPSEC Applications 326
Event Logging API 326
Log Export API 326
Suspicious Activities Monitoring 327
Object Management Interface 327
Check Point Management Interface 328
UserAuthority API 328
Other Resource Options 328
URI Resources 329
URI file 330
URI Wild Cards 332
SMTP Resources 336
FTP Resources 340
TCP 341
OPSEC Applications
■
There are three types
of OPSEC Server appli-
cations: CVP, UFP and
AMON.
■
OPSEC Client applica-
tions, as a general rule,
either send data to or
pull data from VPN-
1/Firewall-1 and gener-
ally do not effect the
control process directly
as servers do.
■
ELA allows third party
applications to send
log data to the VPN-
1/FireWall-1 log data-
base for consolidation
and alerting functions
■
LEA provides a method
for applications to
extract, historically or
in real time, log data
from the central log
database
■
SAM provides a con-
duit for IDS devices to
signal and make
changes to the current
Security Policy, such as
blocking traffic from a
specific host
■
The OMI provides sup-
port for legacy applica-
tions that need to
access the VPN-1/
FireWall-1 object data-
base
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xviii
Contents xix
Summary 344
Solutions Fast Track 345
Frequently Asked Questions 349
Chapter 8 Managing Policies and Logs 353
Introduction 354
Administering Check Point VPN-1/
FireWall-1 NG for Performance 355
Configuring NG for Performance 355
Administering NG for Performance 358
Monitoring NG for Performance 363
Platform Specific Tools 367
Performance Conclusion 368
Administering Check Point VPN-1/
FireWall-1 NG for Effectiveness 368
Quality Control 368
Patches and Updates 370
Policy Administration 371
Managing Multiple Policies 372
Editing Files 373
Managing Firewall Logs 375
Log Rotations 376
Log Maintenance 380
Administering Check Point VPN-1/
FireWall-1 NG for Recoverability 380
Making Backups 380
Performing Advanced
Administration Tasks 382
Firewall controls 382
fwstop 382
fwstart 382
cpstop 383
cpstart 383
cpconfig 383
cpstat 383
fw 383
Firewall Processes 385
Configuring NG for
Performance
There are a number of
things that you can do
when initially configuring
FireWall-1 NG so that it
provides optimum
performance for your
environment.
■
Use hosts files on
management servers
and remote
enforcement modules.
■
Disable decryption on
accept.
■
Modify logging Global
Properties.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xix
xx Contents
*NIX 385
Nokia 386
Windows 386
$FWDIR\tmp 386
fwd 386
fwm 387
in.ahttpd 387
in.asmtp.d 387
in.atelnetd 387
in.arlogind 387
in.aftpd 387
in.aclientd 387
in.ahclientd 387
fw kill 387
Summary 388
Solutions Fast Track 388
Frequently Asked Questions 390
Chapter 9 Tracking and Alerts 393
Introduction 394
Alerts Commands 394
Using Track Options 395
Logging Modifiers 396
Time Settings 396
Alerts Commands 397
User-Defined Tracking 399
alertf 400
Advanced User-Defined Alerts 400
Suspicious Activities Monitoring (SAM) 403
Check Point Malicious Activity Detection
(CPMAD) 406
CPMAD Configuration 408
cpmad_config.conf 408
CPMAD Problems 410
Summary 412
Solutions Fast Track 412
Frequently Asked Questions 414
Alert Context Menu
When you create a new
rule, or wish to modify an
existing rule, simply right-
click on the Action
column, and you’ll see a
Context menu.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xx
Contents xxi
Chapter 10 Configuring Virtual
Private Networks 415
Introduction 416
Encryption Schemes 416
Encryption Algorithms; Symmetric
vs. Asymmetric Cryptography 417
Key Exchange Methods:
Tunneling vs. In-Place Encryption 419
Hash Functions and Digital Signatures 420
Certificates and Certificate Authorities 421
Types of VPNs 421
VPN domains 422
Configuring an FWZ VPN 422
Defining Objects 423
Local Gateway 423
Remote Gateway 423
Adding VPN Rules 425
FWZ Limitations 427
Configuring an IKE VPN 427
Defining Objects 428
Local Gateway 428
Remote Gateway 429
Adding VPN Rules 430
Testing the VPN 432
Debugging VPNs 433
Considerations for External Networks 435
Configuring a SecuRemote VPN 435
Local Gateway Object 436
User Encryption Properties 436
FWZ 437
IKE 437
Client Encryption Rules 439
Installing SecuRemote Client Software 440
Using SecuRemote Client Software 442
Secure Domain Login (SDL) 445
Summary 447
Solutions Fast Track 447
Frequently Asked Questions 449
Answers to Your
Frequently asked
Questions
Q:
What does “No
response from peer:
Scheme IKE” mean
when seen in logs
during VPN testing?
A:
Confirm that fwd and
isakmpd are running
on your peer gateway.
Isakmpd listens on UDP
port 500; you can use
the “netstat”
command to double-
check this (on Unix
platforms and
Windows platforms).
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xxi
xxii Contents
Chapter 11 Securing Remote Clients 451
Introduction 452
Installing and Configuring a Policy Server 452
Install from CD 453
Configuring a Policy Server 454
Desktop Security Options 455
Desktop Security Policy 455
Desktop Security Global Properties 458
Desktop Configuration Verification 459
Early Versions Compatibility 460
Client Encrypt Rules 461
Installing SecureClient Software 463
SecureClient Packaging Tool 465
Logging into the Policy Server 473
Summary 475
Solutions Fast Track 475
Frequently Asked Questions 477
Chapter 12 Advanced Configurations 479
Introduction 480
Check Point High Availability (CPHA) 480
Enabling High Availability 481
Failing Over 484
Firewall Synchronization 486
Single Entry Point VPN Configurations (SEP) 488
Gateway Configuration 489
Policy Configuration 495
Multiple Entry Point VPN Configurations (MEP) 495
Overlapping VPN Domains 496
Gateway Configuration 499
Overlapping VPN Domains 501
Other High Availability Methods 504
Routing Failover 505
Hardware Options 505
Summary 507
Solutions Fast Track 507
Frequently Asked Questions 508
You can selectively weed
out protocols that are
hogging too many
resources when compared
to the necessity of their
HA condition by editing
the $FWIDR/lib/user.def file
and inserting a line like
this:
//Dont sync the web!
Installing and
Configuring a Policy
Server
■
Install the Policy Server
from the Check Point
NG CD-ROM.
■
Enable the Policy Server
as an installed product
in your firewall object.
■
Set the user group to
use with the Policy
Server in the
Authentication tab of
your firewall object.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xxii
Contents xxiii
Appendix A Class C Subnet Mask
Cheat Sheet 511
Appendix B Spoofing: Attacks on
Trusted Identity 519
Introduction 520
What It Means to Spoof 520
Spoofing Is Identity Forgery 520
Spoofing Is an Active Attack
against Identity Checking Procedures 521
Spoofing Is Possible at All
Layers of Communication 521
Spoofing Is Always Intentional 522
Spoofing May Be Blind or Informed,
but Usually Involves Only Partial
Credentials 523
Spoofing Is Not the Same Thing as Betrayal 524
Spoofing Is Not Necessarily Malicious 524
Spoofing Is Nothing New 525
Background Theory 525
The Importance of Identity 526
The Evolution of Trust 527
Asymmetric Signatures between
Human Beings 527
Establishing Identity within Computer
Networks 529
Return to Sender 530
In the Beginning,There Was…a Transmission 531
Capability Challenges 533
Ability to Transmit:“Can It Talk
to Me?” 533
Ability to Respond:“Can It Respond
to Me?” 535
Ability to Encode:“Can It Speak
My Language?” 539
Ability to Prove a Shared Secret:
“Does It Share a Secret with Me?” 541
In this Appendix
, we
will make a slight depar-
ture from focusing on
securing your network
using Check Point prod-
ucts, and instead focus on
the theories and method-
ologies behind spoofing
attacks. To successfully
secure your systems, you
must understand the
motives and the means of
those who intend to
launch a malicious attack
against your network. In
this Appendix Dan
“Effugas” Kaminsky,
world-renowned cryptog-
raphy expert and frequent
speaker at the Black Hat
Briefings and DEF CON,
provides invaluable insight
to the inner workings of a
spoof attack. Look for the
Syngress icon in the
margin to find utilities and
code samples, which are
available for download
from www.syngress.com/
solutions.
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xxiii
xxiv Contents
Ability to Prove a Private Keypair:
“Can I Recognize Your Voice?” 543
Ability to Prove an Identity Keypair:
“Is Its Identity Independently
Represented in My Keypair?” 544
Configuration Methodologies:
Building a Trusted Capability Index 546
Local Configurations vs. Central
Configurations 546
Desktop Spoofs 547
The Plague of Auto-Updating Applications 547
Impacts of Spoofs 549
Subtle Spoofs and Economic Sabotage 550
Flattery Will Get You Nowhere 550
Subtlety Will Get You Everywhere 552
Selective Failure for Selecting Recovery 552
Bait and Switch: Spoofing the Presence
of SSL Itself 554
Down and Dirty: Engineering Spoofing Systems 562
Spitting into the Wind: Building
a Skeleton Router in Userspace 562
Designing the Nonexistent:
The Network Card That Didn’t
Exist but Responded Anyway 563
Implementation: DoxRoute, Section
by Section 564
Bring Out the Halon: Spoofing
Connectivity Through Asymmetric
Firewalls 586
Symmetric Outgoing TCP: A Highly
Experimental Framework for
Handshake-Only TCP Connection
Brokering 587
Summary 594
Solution Fast Track 595
Frequently Asked Questions 599
Index 603
192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xxiv